Difference between revisions of "OWASP EU Summit 2008 Training (Courses to be Approved)"

From OWASP
Jump to: navigation, search
(Course Name)
(What Developers Should Know on Web Application Security)
Line 388: Line 388:
 
'''Audience'''
 
'''Audience'''
  
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET.
+
Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.
  
We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours.
+
'''Table of Contents'''
  
Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.
+
== Table of Contents ==
 +
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.  
  
'''Table of Contents'''
+
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])
 +
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
 +
:*What goes wrong
 +
:*WebAppSec Defined
 +
:*Current trends
 +
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])
 +
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
 +
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
 +
:*Injection Flaws
 +
:*Malicious File Execution
 +
:*Insecure Direct Object Reference
 +
:*Cross Site Request Forgery (CSRF)
 +
:*Information Leakage and Improper Error Handling
 +
:*Broken Authentication and Session Management
 +
:*Insecure Cryptographic Storage
 +
:*Insecure Communications
 +
:*Failure to Restrict URL Access
 +
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])
 +
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
 +
:*People Awareness and Education
 +
:*Development WebAppSec Controls
 +
:*Deployment WebAppSec Controls
 +
:*WebAppSec Tools
 +
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])
 +
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.
 +
:*Validating User Input
 +
:*Authentication
 +
:*Authorization
 +
:*Session Management
 +
:*Using Interpreters
 +
:*Crypto
 +
:*Catching Errors
 +
:*File System
 +
:*Configuration
 +
:*Web 2.0
 +
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])
 +
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.
 +
:*Testing for application vulnerabilities
 +
:*The OWASP Testing Guide
 +
:*WebGoat demonstrated
 +
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])
 +
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
 +
:*Hard Copy
 +
:*Web Sites
 +
:*Mailing lists
 +
:*Blogs
 +
*Roundup (10 min)
  
Please enter the text here.
+
[[Category:OWASP Education Project]]
  
 
'''Course Specifics'''
 
'''Course Specifics'''

Revision as of 19:28, 16 September 2008

The courses listed on this page are to be approved by OWASP Board.


Contents

Source Code Review

Instructor

Eoin Keary and Daniel Cuthbert

Duration

Please enter the text here

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Advanced Phishing and Social Engineering Training

Instructor

Joshua Perrymon

Duration

1 day

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

This class is designed to illustrate hands-on methods used in the real world attacking the human layer. This includes a focus on spear-phishing using the newly introduced OWASP phishing framework (LUNKER). Attendees will identify target emails using a variety of methods, identify potential phish sites, create a spoofed email and send the attack all in a locally ran test environment in Vmware or LiveCD.

Upon completion of this course, attendees will have an in-depth understanding of the latest techniques used to perform these type of attacks. The class will also include additional social engineering attack methods such as impersonation, authority attacks, pre-text attacks, and much more. Advanced topics such as Email Payloads and 2nd Factor token MITM attacks will be covered as well.

1. Introduction to Social Engineering

2. Understanding the Human Aspect of Security

3. Review of aggressively vertical hacking methodology

4. Analysis of attack trending over the years (Up the OSI Model)

5. Review of public Social Engineering Attacks in the media

6. Hands on: Spear Phishing Demo using the Lunker Framework

    a. Understanding the Social Engineering Scope of work
    b. Setup Client Info
    c. Gather Email addresses/targets
    d. Identify potential phishing sites
    e. Creation of spoofed emails
        i. Custom footers
        ii. Attack Scenarios
        iii. Email header options

f. Test Environment: Review the spoofed email and phishing site

g. Send attack

h. Monitor: Discuss steps to take at this point once the users send in credentials.

i. Advanced Phishing Attacks: Recon, XSS/CSRF/Browser Exploit/Trojan payloads

j. MITM Attacks on 2-factor Authentication

k. Summary


Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Web server/services hardening using SELinux

Instructor

Pavol Luptak

Duration

1 day

Summary

Security-Enhanced Linux (SELinux) is a FLASK implementation integrated in the Linux kernel with a number of utilities designed to provide mandatory access controls (MAC) through the use of Linux Security Modules (LSM) in the Linux kernel. SELinux generally supports many kinds of mandatory access control policies, including those based on the concepts of type enforcement, role-based access control, and multi-level security.

A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these programs and daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

This training provides basic concepts of SELinux, its differences to classical UNIX/Linux systems, describe security advantages of mandatory access control policies and teach how to effectively and rapidly configure a fully functional LAMP environment on SELinux system.

Audience

Please enter the text here.

Table of Contents

1. SELinux history

2. Unix/Linux DAC (Discretionary Access Control) and its problems

3. MAC (Mandatory Access Control)

4. Advantages of using MAC

5. DTE (Domain Type Enforcement) model

6. RBAC (Roles Based Access Control) model

7. MLS (Multi Level Security) model

8. SELinux FLASK Architecture

9. SELinux policy (EXERCISE)

10. File System Security Contexts (EXERCISE)

11. SELinux Object Classes and Permissions

12. TE (Type Enforcement) Rules (Attributes, Type Declaration, Type Transitions, Domain Type Transitions, Object Labeling Transitions, Access Vectors)

13. Understanding AVC, log messages

14. audit2allow and audit2why (EXERCISE)

15. SELinux Troubleshoot Tool (EXERCISE)

16. Auditing and Auditing tools

17. Policy Macros

18. Backtracking rule (EXERCISE)

19. SELinux Users, Roles, MLS Levels

20. Strict Policy

21. Targeted Policy

22. SELinux Booleans and their use for Apache web server (EXERCISE)

23. Files and Directories in Targeted Policy, common SELinux Macros (EXERCISE)

24. Analyzing Example Policy - apache.te (EXERCISE)

25. Assigning Object and Process Types

26. SELinux Booting

27. Copying and moving files, checking security contexts, relabeling a file and directory's security context (EXERCISE)

28. Policy core utilities

29. Managing File Labeling, Relabeling a File System (EXERCISE)

30. SELinux Administrator GUI (EXERCISE)

31. SELinux Modules (EXERCISE)

32. Hardening existing LAMP environments using SELinux (EXERCISE)

33. Writing New Policy for a Daemon (EXERCISE for clever students)

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Java Secure Programming

Instructor

Lucas Ferreira

Duration

Please enter the text here.

Summary


This training class will present best practices of secure programming in the Java language. It includes Java specific practices (i.e. how to avoid problems that arise from the compilation of Java source code to the bytecode language used by the JVM) and practices that may arise in other programming languages (with exemples in Java). Some tools that may be used to verify the security of Java code and systems will be demonstrated.

The topics include a quick overview of the OWASP Top 10, in order to contextualize the practices presented, and several best practices aimed at the different software layers. At the presentation layer, we focus on input validation, access control issues and dealing with exceptions. At the business objects layer, the practices deal with cloning and serialization issues. Practices to prevent command injection are presented at the persistence layer. Practices that should be used throughout all the software are also presented, including inputa data validation, class and method visibility, using and storing secrets, dealing with inner classes, overflows and boxing, and object initialization.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Advanced Web Application Penetration Testing

Instructor

Aspect Security

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Leading, Planning, and Executing an Application Security Initiative

Instructor

Aspect Security

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Foundations of Web Application Security

Instructor

Aspect Security

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Secure Coding .NET Web Applications

Instructor

Aspect Security

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Building Secure Rich Internet Applications

Instructor

Aspect Security

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Web Application Security - Advanced Attacks and Defense

Instructor

Aspect Security

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

What Developers Should Know on Web Application Security

Instructor

Sebastien Deleersnyder

Duration

Please enter the text here.

Summary

Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites. Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences. This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.

Audience

Web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET. We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours. Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.

Table of Contents

Table of Contents

The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.

This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
  • What goes wrong
  • WebAppSec Defined
  • Current trends
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
  • Cross Site Scripting (XSS)
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL Access
There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
  • People Awareness and Education
  • Development WebAppSec Controls
  • Deployment WebAppSec Controls
  • WebAppSec Tools
Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.
  • Validating User Input
  • Authentication
  • Authorization
  • Session Management
  • Using Interpreters
  • Crypto
  • Catching Errors
  • File System
  • Configuration
  • Web 2.0
One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.
  • Testing for application vulnerabilities
  • The OWASP Testing Guide
  • WebGoat demonstrated
This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
  • Hard Copy
  • Web Sites
  • Mailing lists
  • Blogs
  • Roundup (10 min)

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)

Course Name

Instructor

Please enter the text here.

Duration

Please enter the text here.

Summary

Please enter the text here.

Audience

Please enter the text here.

Table of Contents

Please enter the text here.

Course Specifics

Please enter the text here. (i.e. bring your own laptop)